“Back porch preacher preaching at me Acting like he wrote the golden rules Shaking his fist and speeching at me Shouting from his soap box like a fool Come Sunday morning he’s lying in bed With his eye all red, with the wine in his head Wishing he was dead when he oughta be Heading for Sunday school

Clean up your own backyard Oh don’t you hand me none of your lines Clean up your own backyard You tend to your business, I’ll tend to mine”

The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen? According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more! This information is much more personal and sensitive than just a social security administration.

I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability. This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed. According to OPM spokesperson Samuel Shumach: “The intrusions into OPM’s systems were criminal acts committed by unknown adversaries for criminal purposes, As a result, we have done and continue to do everything possible to protect the security of OPM systems and the records contained in those systems. We will also continue to contact those who may have been affected, and to offer credit monitoring.” The OPM, their letter, graciously offered (read closely) “These services are offered as a convenience to you,” “However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Our government officials simply hold corporations which have credit card data stolen to a different standard.

OPM does not maintain a comprehensive inventory of servers, databases, and network devices. In addition, we are unable to independently attest that OPM has a mature vulnerability scanning program.

Eleven major OPM systems are operating without a valid Authorization. This represents a Material weakness in the internal control structure of OPM’s IT Security Program.

Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&Ms) and the majority of of systems contain POA&Ms that are over 120 days old.

Multi-factor authentication is not required to access OPM systems in accordance with OPM memorandum M-11-11.

For those in the infsec world these findings should both anger and horrify you. A government organization that handles the most sensitive of personal data cannot even be bothered to implement two-factor authentication? For those of us who have served either in the military or the government this incompetence is neither surprising nor unexpected. The absolute lack of accountability the US Government takes with regard to its own failings is troubling yet, again, not unexpected.

With these lunatics running the asylum it is little wonder that the OPM has been breached by the Chinese. Maybe a more accurate description would be monkeys running the zoo or even clowns running the circus. Either way, until the US Government can clean up its own backyard it that “back porch preacher” should “Tend to it’s own business and I’ll tend to mine.”